Windows Server 2019 Kerberos failure on one DC

%3CLINGO-SUB%20id%3D%22lingo-sub-1824871%22%20slang%3D%22en-US%22%3EWindows%20Server%202019%20Kerberos%20failure%20on%20one%20DC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1824871%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI%20have%20two%202019%20DCs%20in%20the%20domain%2C%20and%20one%20of%20them%20has%20apparently%20gone%20astray.%20%26nbsp%3BLots%20of%20symptoms%2C%20and%20malfunctions%2C%20but%20I%20am%20hopeful%20that%20fixing%20one%20fixes%20all.%20%26nbsp%3BLet's%20call%20them%20%3CFONT%20color%3D%22%230000FF%22%3EServer%201%3C%2FFONT%3E%20and%20%3CFONT%20color%3D%22%230000FF%22%3E2.%20%26nbsp%3BServer%201%3C%2FFONT%3E%20seems%20to%20be%20the%20problem%20child.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EOn%20the%20server%20manger%20on%20either%20one%2C%20under%20all%20servers%2C%20each%20reports%20Kerberos%20Security%20error%20for%20the%20other%20one.%20%26nbsp%3BBoth%20are%20Hyper-V%20instances.%20However%2C%20on%20%3CFONT%20color%3D%22%230000FF%22%3EServer%201%3C%2FFONT%3E%20I%20cannot%20run%20Group%20Policy%20-%20no%20RPC%20server%20even%20though%20the%20service%20is%20running%2C%20NSLOOKUP%20can't%20find%20server%20or%20domain%20information%2C%20and%20both%20DHCP%20and%20DNS%20seem%20to%20have%20issues%20(DHCP%20has%20failover%20configured%20between%20the%20two).%20%26nbsp%3BDHCP%20has%20orange%20arrow%20over%20IPv4%20on%20%3CFONT%20color%3D%22%230000FF%22%3EServer%202%3C%2FFONT%3E%2C%20yet%20it%20won't%20allow%20configuring%20to%20add%20%3CFONT%20color%3D%22%230000FF%22%3EServer%201.%3C%2FFONT%3E%20%26nbsp%3BOn%20%3CFONT%20color%3D%22%230000FF%22%3EServer%202%2C%3C%2FFONT%3E%20Group%20Policy%20and%20NSLOOKUP%20work%20fine.%26nbsp%3B%20On%20%3CFONT%20color%3D%22%230000FF%22%3EServer%202%3C%2FFONT%3E%2C%20access%20to%20DHCP%20%26amp%3B%20DNS%20is%20fine%20for%20itself%20but%26nbsp%3B%20fails%20to%20manage%20%3CFONT%20color%3D%22%230000FF%22%3EServer%201%3C%2FFONT%3E.%26nbsp%3B%20On%20%3CFONT%20color%3D%22%230000FF%22%3Eserver%201%3C%2FFONT%3E%2C%20DNS%20appears%20but%20cannot%20manage%20%3CFONT%20color%3D%22%230000FF%22%3EServer%202.%3C%2FFONT%3E%26nbsp%3B%20DHCP%20on%20%3CFONT%20color%3D%22%230000FF%22%3EServer%201%3C%2FFONT%3E%20does%20not%20have%20a%20defined%20scope%20although%20it%20is%20supposed%20to%20replicate%20from%20Server%202.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EI%20ran%20SETSPF%20-X%20on%20both%20servers%20and%20neither%20reported%20a%20duplicate.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EI%20had%20backups%20pf%20the%20.vhdx%20files%20going%20back%20about%20a%20month%2C%20but%20restoring%20them%20did%20not%20fix%20things.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EI%20also%20tried%20demoting%20%3CFONT%20color%3D%22%230000FF%22%3EServer%201%3C%2FFONT%3E%2C%20removing%20AD%2C%20DNS%2C%20and%20DHCP%20and%20then%20leaving%20the%20domain%20all%20of%20which%20seemed%20to%20work.%20%26nbsp%3BHowever%2C%20when%20I%20tried%20reversing%20that%2C%20I%20was%20NOT%20able%20to%20rejoin%20the%20domain%20as%20it%20could%20not%20be%20found.%20%26nbsp%3BI%20had%20set%20the%20DNS%20server%20to%20%3CFONT%20color%3D%22%230000FF%22%3EServer%202%3C%2FFONT%3E%20on%20the%20NIC%20for%20%3CFONT%20color%3D%22%230000FF%22%3EServer%201%3C%2FFONT%3E%20but%20still%20could%20not%20be%20found.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EThe%20other%20possible%20symptom%20is%20that%20some%20W10%20machines%20are%20throwing%20off%20authentication%20errors%2C%20I%20think.%20I%20haven't%20had%20time%20to%20fully%20track%20that%20down%2C%20and%20I%20also%20assume%20that%20once%20I%20get%3CFONT%20color%3D%22%230000FF%22%3E%20Server%201%3C%2FFONT%3E%20communicating%20to%20AD%20again%20things%20will%20fall%20into%20place.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EI%20am%20at%20a%20bit%20of%20a%20loss%20on%20what%20to%20do%20now.%20%26nbsp%3BHow%20can%20I%20fix%20the%20Kerberos%20error.%3F%20%26nbsp%3BI%20have%20some%20applications%20installed%20on%20%3CFONT%20color%3D%22%230000FF%22%3EServer%201%3C%2FFONT%3E%20that%20have%20one%20time%20license%20permissions%2C%20so%20starting%20all%20over%20with%20a%20new%20server%20and%20just%20ignoring%20%3CFONT%20color%3D%22%230000FF%22%3EServer%201%3C%2FFONT%3E%20is%20not%20a%20great%20option.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EThanks%20to%20all%20you%20gurus%20in%20advance.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1824871%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
New Contributor

I have two 2019 DCs in the domain, and one of them has apparently gone astray.  Lots of symptoms, and malfunctions, but I am hopeful that fixing one fixes all.  Let's call them Server 1 and 2.  Server 1 seems to be the problem child.

On the server manger on either one, under all servers, each reports Kerberos Security error for the other one.  Both are Hyper-V instances. However, on Server 1 I cannot run Group Policy - no RPC server even though the service is running, NSLOOKUP can't find server or domain information, and both DHCP and DNS seem to have issues (DHCP has failover configured between the two).  DHCP has orange arrow over IPv4 on Server 2, yet it won't allow configuring to add Server 1.  On Server 2, Group Policy and NSLOOKUP work fine.  On Server 2, access to DHCP & DNS is fine for itself but  fails to manage Server 1.  On server 1, DNS appears but cannot manage Server 2.  DHCP on Server 1 does not have a defined scope although it is supposed to replicate from Server 2.  

I ran SETSPF -X on both servers and neither reported a duplicate.

I had backups pf the .vhdx files going back about a month, but restoring them did not fix things.

I also tried demoting Server 1, removing AD, DNS, and DHCP and then leaving the domain all of which seemed to work.  However, when I tried reversing that, I was NOT able to rejoin the domain as it could not be found.  I had set the DNS server to Server 2 on the NIC for Server 1 but still could not be found.

The other possible symptom is that some W10 machines are throwing off authentication errors, I think. I haven't had time to fully track that down, and I also assume that once I get Server 1 communicating to AD again things will fall into place.

I am at a bit of a loss on what to do now.  How can I fix the Kerberos error.?  I have some applications installed on Server 1 that have one time license permissions, so starting all over with a new server and just ignoring Server 1 is not a great option.

Thanks to all you gurus in advance.

0 Replies